feat: start on AI integration

2026-04-24 13:56:42 +02:00
parent 15584c72f7
commit 78609377be
16 changed files with 2410 additions and 8 deletions
--- a/lib/bds/ai/secret_backend.ex
+++ b/lib/bds/ai/secret_backend.ex
@@ -0,0 +1,33 @@
+defmodule BDS.AI.SecretBackend do
+  @moduledoc false
+
+  @aad "bds-ai-secret"
+
+  def encrypt(value) when is_binary(value) do
+    key = secret_key()
+    iv = :crypto.strong_rand_bytes(12)
+
+    {ciphertext, tag} =
+      :crypto.crypto_one_time_aead(:aes_256_gcm, key, iv, value, @aad, true)
+
+    {:ok, Base.encode64(iv <> tag <> ciphertext)}
+  end
+
+  def decrypt(encoded) when is_binary(encoded) do
+    with {:ok, binary} <- Base.decode64(encoded),
+         <<iv::binary-size(12), tag::binary-size(16), ciphertext::binary>> <- binary,
+         plaintext when is_binary(plaintext) <-
+           :crypto.crypto_one_time_aead(:aes_256_gcm, secret_key(), iv, ciphertext, @aad, tag, false) do
+      {:ok, plaintext}
+    else
+      _other -> {:error, :invalid_ciphertext}
+    end
+  end
+
+  defp secret_key do
+    case Application.get_env(:bds, :ai_secret_key) do
+      key when is_binary(key) and byte_size(key) >= 32 -> binary_part(key, 0, 32)
+      _other -> :crypto.hash(:sha256, Atom.to_string(node()) <> ":bds:ai")
+    end
+  end
+end